Table of Contents
Foreword xix
Introduction xxiii
I Preparing the Battle Space 1
1 Application Fortification 7
Recipe 1-1: Real-time Application Profiling 7
Recipe 1-2: Preventing Data Manipulation with Cryptographic Hash Tokens 15
Recipe 1-3: Installing the OWASP ModSecurity Core Rule Set (CRS) 19
Recipe 1-4: Integrating Intrusion Detection System Signatures 33
Recipe 1-5: Using Bayesian Attack Payload Detection 38
Recipe 1-6: Enable Full HTTP Audit Logging 48
Recipe 1-7: Logging Only Relevant Transactions 52
Recipe 1-8: Ignoring Requests for Static Content 53
Recipe 1-9: Obscuring Sensitive Data in Logs 54
Recipe 1-10: Sending Alerts to a Central Log Host Using Syslog 58
Recipe 1-11: Using the ModSecurity AuditConsole 60
2 Vulnerability Identification and Remediation 67
Recipe 2-1: Passive Vulnerability Identification 70
Recipe 2-2: Active Vulnerability Identification 79
Recipe 2-3: Manual Scan Result Conversion 88
Recipe 2-4: Automated Scan Result Conversion 92
Recipe 2-5: Real-time Resource Assessments and Virtual Patching 99
3 Poisoned Pawns (Hacker Traps) 115
Recipe 3-1: Adding Honeypot Ports 116
Recipe 3-2: Adding Fake robots.txt Disallow Entries 118
Recipe 3-3: Adding Fake HTML Comments 123
Recipe 3-4: Adding Fake Hidden Form Fields 128
Recipe 3-5: Adding Fake Cookies 131
II Asymmetric Warfare 137
4 Reputation and Third-Party Correlation 139
Recipe 4-1: Analyzing the Client’s Geographic Location Data 141
Recipe 4-2: Identifying Suspicious Open Proxy Usage?@147
Recipe 4-3: Utilizing Real-time Blacklist Lookups (RBL) 150
Recipe 4-4: Running Your Own RBL 157
Recipe 4-5: Detecting Malicious Links 160
5 Request Data Analysis 171
Recipe 5-1: Request Body Access 172
Recipe 5-2: Identifying Malformed Request Bodies 178
Recipe 5-3: Normalizing Unicode 182
Recipe 5-4: Identifying Use of Multiple Encodings 186
Recipe 5-5: Identifying Encoding Anomalies 189
Recipe 5-6: Detecting Request Method Anomalies 193
Recipe 5-7: Detecting Invalid URI Data 197
Recipe 5-8: Detecting Request Header Anomalies 200
Recipe 5-9: Detecting Additional Parameters 209
Recipe 5-10: Detecting Missing Parameters 212
Recipe 5-11: Detecting Duplicate Parameter Names 214
Recipe 5-12: Detecting Parameter Payload Size Anomalies 216
Recipe 5-13: Detecting Parameter Character Class Anomalies 219
6 Response Data Analysis 223
Recipe 6-1: Detecting Response Header Anomalies 224
Recipe 6-2: Detecting Response Header Information Leakages 234
Recipe 6-3: Response Body Access 238
Recipe 6-4: Detecting Page Title Changes 240
Recipe 6-5: Detecting Page Size Deviations 243
Recipe 6-6: Detecting Dynamic Content Changes 246
Recipe 6-7: Detecting Source Code Leakages 249
Recipe 6-8: Detecting Technical Data Leakages 253
Recipe 6-9: Detecting Abnormal Response Time Intervals 256
Recipe 6-10: Detecting Sensitive User Data Leakages 259
Recipe 6-11: Detecting Trojan, Backdoor, and Webshell Access Attempts 262
7 Defending Authentication 265
Recipe 7-1: Detecting the Submission of Common/Default Usernames 266
Recipe 7-2: Detecting the Submission of Multiple Usernames 269
Recipe 7-3: Detecting Failed Authentication Attempts 272
Recipe 7-4: Detecting a High Rate of Authentication Attempts 274
Recipe 7-5: Normalizing Authentication Failure Details 280
Recipe 7-6: Enforcing Password Complexity 283
Recipe 7-7: Correlating Usernames with SessionIDs 286
8 Defending Session State 291
Recipe 8-1: Detecting Invalid Cookies 291
Recipe 8-2: Detecting Cookie Tampering 297
Recipe 8-3: Enforcing Session Timeouts 302
Recipe 8-4: Detecting Client Source Location Changes During Session Lifetime 307
Recipe 8-5: Detecting Browser Fingerprint Changes During Sessions 314
9 Preventing Application Attacks 323
Recipe 9-1: Blocking Non-ASCII Characters 323
Recipe 9-2: Preventing Path-Traversal Attacks 327
Recipe 9-3: Preventing Forceful Browsing Attacks 330
Recipe 9-4: Preventing SQL Injection Attacks 332
Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks 336
Recipe 9-6: Preventing OS Commanding Attacks 340
Recipe 9-7: Preventing HTTP Request Smuggling Attacks 342
Recipe 9-8: Preventing HTTP Response Splitting Attacks 345
Recipe 9-9: Preventing XML Attacks 347
10 Preventing Client Attacks 353
Recipe 10-1: Implementing Content Security Policy (CSP) 353
Recipe 10-2: Preventing Cross-Site Scripting (XSS) Attacks 362
Recipe 10-3: Preventing Cross-Site Request Forgery (CSRF) Attacks 371
Recipe 10-4: Preventing UI Redressing (Clickjacking) Attacks 377
Recipe 10-5: Detecting Banking Trojan (Man-in-the-Browser) Attacks 381
11 Defending File Uploads 387
Recipe 11-1: Detecting Large File Sizes 387
Recipe 11-2: Detecting a Large Number of Files 389
Recipe 11-3: Inspecting File Attachments for Malware 390
12 Enforcing Access Rate and Application Flows 395
Recipe 12-1: Detecting High Application Access Rates 395
Recipe 12-2: Detecting Request/Response Delay Attacks 405
Recipe 12-3: Identifying Inter-Request Time Delay Anomalies 411
Recipe 12-4: Identifying Request Flow Anomalies 413
Recipe 12-5: Identifying a Significant Increase in Resource Usage 414
III Tactical Response 419
13 Passive Response Actions 421
Recipe 13-1: Tracking Anomaly Scores 421
Recipe 13-2: Trap and Trace Audit Logging 427
Recipe 13-3: Issuing E-mail Alerts 428
Recipe 13-4: Data Sharing with Request Header Tagging 436
14 Active Response Actions 441
Recipe 14-1: Using Redirection to Error Pages 442
Recipe 14-2: Dropping Connections 445
Recipe 14-3: Blocking the Client Source Address 447
Recipe 14-4: Restricting Geolocation Access Through Defense Condition
(DefCon) Level Changes 452
Recipe 14-5: Forcing Transaction Delays 455
Recipe 14-6: Spoofing Successful Attacks 462
Recipe 14-7: Proxying Traffic to Honeypots 468
Recipe 14-8: Forcing an Application Logout 471
Recipe 14-9: Temporarily Locking Account Access 476
15 Intrusive Response Actions 479
Recipe 15-1: JavaScript Cookie Testing 479
Recipe 15-2: Validating Users with CAPTCHA Testing 481
Recipe 15-3: Hooking Malicious Clients with BeEF 485
Index 495